msblaster update bob mccoy [email protected]
DESCRIPTION
TRANSCRIPT
MSBlaster UpdateMSBlaster Update
Bob McCoyBob [email protected]@microsoft.comTechnical Account ManagerTechnical Account ManagerPremier SupportPremier SupportMicrosoft CorporationMicrosoft Corporation
August 20, 2003 August 20, 2003 11:3011:30
NamesNames
W32.Blaster.Worm (Symantec)W32.Blaster.Worm (Symantec) W32/Lovsan.worm (McAfee)W32/Lovsan.worm (McAfee) WORM_MSBLAST.A (Trendmicro)WORM_MSBLAST.A (Trendmicro) Win32.Posa.Worm (Computer Win32.Posa.Worm (Computer
Associates)Associates)
SymptomsSymptoms
Computer reboots every few minutes Computer reboots every few minutes without user inputwithout user input
Computers become unresponsiveComputers become unresponsive
Who is Vulnerable?Who is Vulnerable?
Microsoft Windows NT 4.0 Microsoft Windows NT 4.0 (affected)(affected)
Microsoft Windows 2000 Microsoft Windows 2000 (infected)(infected)
Microsoft Windows XP Microsoft Windows XP (infected)(infected)
Microsoft Windows Server 2003 Microsoft Windows Server 2003 (affected)(affected)
Infection EvidenceInfection Evidence
HKLM\SOFTWARE\Microsoft\Windows\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto CurrentVersion\Run "windows auto update" = “msblast.exe”update" = “msblast.exe”
msblast.exe in the Windows System32 msblast.exe in the Windows System32 directorydirectory
Vulnerability DetailsVulnerability Details
The vulnerability is in the part of RPC The vulnerability is in the part of RPC that deals with message exchange over that deals with message exchange over TCP/IPTCP/IP
It occurs because of incorrect handling It occurs because of incorrect handling of malformed messagesof malformed messages
This particular vulnerability affects a This particular vulnerability affects a Distributed Component Object Model Distributed Component Object Model (DCOM) interface with RPC, which (DCOM) interface with RPC, which listens on RPC enabled portslistens on RPC enabled ports
Vulnerability DetailsVulnerability Details
An attacker who successfully exploited An attacker who successfully exploited this vulnerability would be able to run this vulnerability would be able to run code with Local System privileges on code with Local System privileges on an affected systeman affected system
To exploit this vulnerability, an attacker To exploit this vulnerability, an attacker would need to send a specially formed would need to send a specially formed request to the remote computer on request to the remote computer on specific RPC ports (port 135, 139, 445 specific RPC ports (port 135, 139, 445 or 593 or any other specifically or 593 or any other specifically configured RPC port on the remote configured RPC port on the remote machine)machine)
What’s the Fix?What’s the Fix?
The patch corrects the vulnerability by The patch corrects the vulnerability by altering the DCOM interface to properly altering the DCOM interface to properly check the information passed to it.check the information passed to it.
Anatomy of an AttackAnatomy of an Attack
AttackerAttacker TargetTargetScan an IP address range Scan an IP address range looking for a target with port 135 looking for a target with port 135 listeninglistening
Select which exploit code to Select which exploit code to send:send: Windows 2000 (20%) Windows 2000 (20%) Windows XP (80%) Windows XP (80%)
Send exploit code to the target Send exploit code to the target via TCP port 135via TCP port 135
1 of 31 of 3
Anatomy of an AttackAnatomy of an Attack
AttackerAttacker TargetTargetIf target is unpatched, and …If target is unpatched, and …Exploit Exploit code matchescode matches system system type: open remote command type: open remote command shell listening on TCP port 4444shell listening on TCP port 4444Exploit Exploit code does not matchcode does not match system type: RPC subsystem system type: RPC subsystem failsfails
Start TFTP server listening on Start TFTP server listening on UDP port 69UDP port 69
Send a command to the target Send a command to the target via port 4444 directing target to via port 4444 directing target to download MSBlast.exe from the download MSBlast.exe from the infectorinfector
Issue a TFTP “Get” command to Issue a TFTP “Get” command to the infector via port 69the infector via port 69
2 of 32 of 3
Anatomy of an AttackAnatomy of an Attack
AttackerAttacker TargetTargetSend command via port 4444 to Send command via port 4444 to execute MSBlast.exeexecute MSBlast.exe
Run MSBlast.exe which creates Run MSBlast.exe which creates registry entries that will cause it registry entries that will cause it to be run again when a user to be run again when a user subsequently logs onto the subsequently logs onto the systemsystem
Disconnect from port 4444Disconnect from port 4444 Close the command shellClose the command shell
Close the TFTP serverClose the TFTP server
Begin DDoS (syn flood) attack Begin DDoS (syn flood) attack after 8/16 00:00after 8/16 00:00
3 of 33 of 3
4 Steps for Home Users4 Steps for Home Users
Install/Enable a FirewallInstall/Enable a Firewall Update WindowsUpdate Windows Use Antivirus SoftwareUse Antivirus Software Remove the WormRemove the Worm
Protect Your PCProtect Your PC
http://www.microsoft.com/security/protect/http://www.microsoft.com/security/protect/
Went live Aug 18thWent live Aug 18th
FirewallsFirewalls
Windows XP and Windows Server 2003 Windows XP and Windows Server 2003 include Internet Connection Firewallinclude Internet Connection Firewall
Windows 2000 can use IPSec filteringWindows 2000 can use IPSec filteringhttp://support.microsoft.com/?id=309798http://support.microsoft.com/?id=309798ipseccmd -f 0+*:69:UDP *+0:69:UDP -n BLOCK -w REG -p ipseccmd -f 0+*:69:UDP *+0:69:UDP -n BLOCK -w REG -p "Block TFTP" -r "Block client/server TFTP" -x "Block TFTP" -r "Block client/server TFTP" -x
PXE RIS and ADS use TFTPPXE RIS and ADS use TFTP Specific port filtering only buys you some Specific port filtering only buys you some
time due to variantstime due to variants
Third party software firewallsThird party software firewalls External firewallsExternal firewalls
The Internal ThreatThe Internal Threat
VPN port filteringVPN port filtering Quarantine / SandboxQuarantine / Sandbox
Network scan and shut off portsNetwork scan and shut off ports Client logon scriptsClient logon scripts
Partners and trust – filtering at the Partners and trust – filtering at the edgeedge
Group PolicyGroup Policy
Set IPSec filterSet IPSec filter Restrict execution of msblast.exeRestrict execution of msblast.exe
Watch out for variantsWatch out for variants
Custom scriptsCustom scripts Only works on Windows 2000 and laterOnly works on Windows 2000 and later
XP Home ineligible for domain policyXP Home ineligible for domain policy
Good Worm, Bad WormGood Worm, Bad Worm
Latest variant looks for vulnerable Latest variant looks for vulnerable computers, patches & reboots themcomputers, patches & reboots them
Names: Nachi, Blaster-D, Welchia Names: Nachi, Blaster-D, Welchia http://www.microsoft.com/technet/security/virus/alerts/nachi.ahttp://www.microsoft.com/technet/security/virus/alerts/nachi.aspsp
Increased network traffic (ICMP)Increased network traffic (ICMP) Scanning continues until 1/1/2004Scanning continues until 1/1/2004 It’s still a worm, and all the legal issues It’s still a worm, and all the legal issues
associated with unauthorized accessassociated with unauthorized access Exploits RPC (MS03-026) and WebDAV Exploits RPC (MS03-026) and WebDAV
(MS03-007) vulnerabilities(MS03-007) vulnerabilities
Removal ToolsRemoval Tools
Network AssociatesNetwork Associateshttp://www.nai.com/us/promos/nai_lovsan.htmhttp://www.nai.com/us/promos/nai_lovsan.htm
Trend MicroTrend Microhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.AVName=WORM_MSBLAST.A
SymantecSymantechttp://securityresponse.symantec.com/avcenter/venc/data/http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.htmlw32.blaster.worm.html
Computer AssociatesComputer Associateshttp://www3.ca.com/virusinfo/virus.aspx?ID=36265http://www3.ca.com/virusinfo/virus.aspx?ID=36265
SophosSophoshttp://www.sophos.com/support/disinfection/blastera.html#2http://www.sophos.com/support/disinfection/blastera.html#2
Stop the RebootingStop the Rebooting
Windows must now restrart Windows must now restrart because the Remote because the Remote Procedure Call (RPC) Procedure Call (RPC) service terminated service terminated unexpectantly.unexpectantly. (unrepentantly) (unrepentantly)
Start | Run | Start | Run | Services.msc | Services.msc | Remote Procedure Remote Procedure Call (RPC) | Call (RPC) | RecoveryRecovery
Change recovery Change recovery optionoption
Stop the TimerStop the Timer
Start | Run (Start | Run (R)R)
shutdown -ashutdown -a
Deployment TechnologiesDeployment Technologies
SMS with Feature PackSMS with Feature Pack Software Update Services (uses the Software Update Services (uses the
Automatic Update component)Automatic Update component) Login scriptLogin script Third party tools (St Bernard, Tivoli, et Third party tools (St Bernard, Tivoli, et
al)al) VBScriptVBScript
http://support.microsoft.com/default.aspx?kbid=827227http://support.microsoft.com/default.aspx?kbid=827227
SneakerNetSneakerNet
Software Update ServicesSoftware Update Services
Cryptographic ErrorCryptographic Error
Cryptographic Services may not be Cryptographic Services may not be startedstarted
Database corruption in catroot2Database corruption in catroot2 Windows Update 643 Error and the Windows Update 643 Error and the
Catalog DatabaseCatalog Databasehttp://support.microsoft.com/default.aspx?scid=kb;EN-http://support.microsoft.com/default.aspx?scid=kb;EN-US;817287US;817287
net stop cryptsvcnet stop cryptsvcren %systemroot%\system32\catroot2 oldcatroot2ren %systemroot%\system32\catroot2 oldcatroot2net start cryptsvc net start cryptsvc
Installer ConvergenceInstaller Convergence
Many product teams Many product teams ►► many installer many installer technologiestechnologies
Historically driven by architectural Historically driven by architectural differencesdifferences
Two standardsTwo standards Windows Installer (MSI)Windows Installer (MSI) Update.exeUpdate.exe
Most will migrate after MSI 3.0 is Most will migrate after MSI 3.0 is releasedreleased
Patch VerificationPatch Verification
SMSSMS Scan with MS Baseline Security Scan with MS Baseline Security
AnalyzerAnalyzer MS03-036 ScannerMS03-036 Scanner
http://www.microsoft.com/downloads/details.aspx?http://www.microsoft.com/downloads/details.aspx?familyid=c8f04c6c-b71b-4992-91f1-aaa785e709dafamilyid=c8f04c6c-b71b-4992-91f1-aaa785e709da
May give false positives on Win9x May give false positives on Win9x machines that have DCOM98 installedmachines that have DCOM98 installed
SupportSupport
NT 4.0 Server SP 6aNT 4.0 Server SP 6a Workstation was not initially supportedWorkstation was not initially supported Will not install with previous SPsWill not install with previous SPs
Win2000 SP 3 & 4 Win2000 SP 3 & 4 Will install on Win2000 SP 2, however, it’s Will install on Win2000 SP 2, however, it’s
not supportednot supported
Hot fix support for DEC Alpha ended Hot fix support for DEC Alpha ended December 31, 2001December 31, 2001
Support LifecycleSupport Lifecyclehttp://support.microsoft.com/lifecyclehttp://support.microsoft.com/lifecycle
System ConfidenceSystem Confidence
““But the infection period = full access But the infection period = full access by bad guys to your PC. How can you by bad guys to your PC. How can you 100% know you have caught + 100% know you have caught + reversed every possible malicious reversed every possible malicious action? For 100% confidence you action? For 100% confidence you must flatten & reinstall.”must flatten & reinstall.”
Root compromiseRoot compromisehttp://www.cert.org/tech_tips/root_compromise.htmlhttp://www.cert.org/tech_tips/root_compromise.html
It It ReallyReally Hurts Hurts
My customer has no less than 7 My customer has no less than 7 separate production configurations separate production configurations (just for workstations), more than 1,000 (just for workstations), more than 1,000 applications in use (in multiple applications in use (in multiple languages), and machines located in languages), and machines located in more than 135 countries, some of which more than 135 countries, some of which have total in-country bandwidths as low have total in-country bandwidths as low as 32K total.as 32K total.
Windowsupdate.comWindowsupdate.com
DDoS target of the worm (syn flood)DDoS target of the worm (syn flood) Attacks scheduled to begin 8/16/03 at Attacks scheduled to begin 8/16/03 at
00:00 local00:00 local ““A” records for windowsupdate.com A” records for windowsupdate.com
now point to 127.0.0.1now point to 127.0.0.1 It was an easy redirect to the real It was an easy redirect to the real
update siteupdate site
"One strategy for cushioning the blow was to "One strategy for cushioning the blow was to extinguish the Windowsupdate.com" site, said extinguish the Windowsupdate.com" site, said
Microsoft spokesman Sean Sundwall. "We have no Microsoft spokesman Sean Sundwall. "We have no plans to ever restore that to be an active site." plans to ever restore that to be an active site."
DDoS ScheduleDDoS Schedule1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
JanFebMarAprMay No DDOS attacks DDOS attacksJuneJulyAugSeptOctNovDec
Did we get lucky?Did we get lucky?
Hard coded URL to expendable domainHard coded URL to expendable domain No intelligence about what client was No intelligence about what client was
being attackedbeing attacked Worm had to drag the payload in Worm had to drag the payload in
behind itbehind it Payload was fairly benignPayload was fairly benign Patch was availablePatch was available Power failure in the NE USPower failure in the NE US
ResourcesResources
Main MSBlast PageMain MSBlast Pagehttp://www.microsoft.com/security/incident/blast.asphttp://www.microsoft.com/security/incident/blast.asp
Knowledge Base Article 823980Knowledge Base Article 823980http://support.microsoft.com/default.aspx?scid=kb;en-http://support.microsoft.com/default.aspx?scid=kb;en-us;823980us;823980
PSS Security Response Team Alert PSS Security Response Team Alert http://www.microsoft.com/technet/security/virus/alerts/msblasthttp://www.microsoft.com/technet/security/virus/alerts/msblaster.asper.asp
Microsoft Security Bulletin MS03-026Microsoft Security Bulletin MS03-026http://www.microsoft.com/technet/security/bulletin/ms03-http://www.microsoft.com/technet/security/bulletin/ms03-026.asp026.asp
More InfoMore Info
Patch Management WhitepaperPatch Management Whitepaperhttp://www.microsoft.com/security/whitepapers/patch_managehttp://www.microsoft.com/security/whitepapers/patch_management.aspment.asp
ISA Server helps block Blaster traffic ISA Server helps block Blaster traffic http://www.microsoft.com/isaserver/techinfo/prevent/blasterwohttp://www.microsoft.com/isaserver/techinfo/prevent/blasterworm.asprm.asp
Microsoft DCOM RPC Worm Alerthttps://tms.symantec.com/members/AnalystReports/030811-https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdfAlert-DCOMworm.pdf
Stanford report on RPC ExploitsStanford report on RPC Exploitshttp://securecomputing.stanford.edu/win-rpc.htmlhttp://securecomputing.stanford.edu/win-rpc.html
ISP White paperISP White paperhttp://www.microsoft.com/serviceproviders/security/isp_blastehttp://www.microsoft.com/serviceproviders/security/isp_blaster.aspr.asp
TechNet WebcastsTechNet Webcasts What Network Administrators Should What Network Administrators Should
Know About The Blaster Worm Know About The Blaster Worm Live Event: August 21, 2003 - 11:00am Live Event: August 21, 2003 - 11:00am to 12:30am Central Timeto 12:30am Central Time http://www.microsoft.com/usa/webcasts/upcoming/2342.asphttp://www.microsoft.com/usa/webcasts/upcoming/2342.asp
How To Recover Your Home Computer How To Recover Your Home Computer From The Blaster Worm From The Blaster Worm Live Event: August 20, 2003 - 2:30pm Live Event: August 20, 2003 - 2:30pm to 4:00pm Central Timeto 4:00pm Central Time http://www.microsoft.com/usa/webcasts/upcoming/2343.asphttp://www.microsoft.com/usa/webcasts/upcoming/2343.asp
How To Recover Your Home Computer How To Recover Your Home Computer From The Blaster WormFrom The Blaster WormLive Event: August 21, 2003 - 2:30pm Live Event: August 21, 2003 - 2:30pm to 4:00pmto 4:00pm http://www.microsoft.com/usa/webcasts/upcoming/2344.asphttp://www.microsoft.com/usa/webcasts/upcoming/2344.asp
© 2002 Microsoft Corporation. All rights reserved.© 2002 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.